'\" te .\" Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved. .TH pam_tty_tickets 5 "25 Jul 2012" "SunOS 5.11" "Standards, Environments, and Macros" .SH NAME pam_tty_tickets \- PAM authentication module .SH SYNOPSIS .LP .nf pam_tty_tickets.so.1 [timeout=\fIminutes\fR] [\fIsudo-compat\fR] [\fBdebug\fR] .fi .SH DESCRIPTION .sp .LP The \fBpam_tty_tickets\fR module provides a mechanism for checking a ticket that was created by a prior successful authentication. Tickets by default validity of 5 minutes. .sp .LP The default ticket location includes both the \fBsource\fR (\fBPAM_AUSER\fR) and \fBdestination\fR (\fBPAM_USER\fR) as well as the \fBtty\fR (\fBPAM_TTY\fR) for which it is valid. .sp .LP The module can be configured using the \fBsudo\(emcompat\fR option to store the tickets in the same location as \fBsudo\fR, though use of \fBsudo\fR is not required to use this feature. .sp .LP The \fBpam_sm_setcred()\fR function creates a ticket for the user in the tickets directory. .sp .LP The \fBpam_sm_authenticate()\fR function checks the timestamp on the ticket is no older than the timeout value, if is then it returns \fBPAM_SUCCESS\fR. If it is older then the ticket is removed and the module returns \fBPAM_IGNORE\fR. .sp .LP This module is intended to be placed in the \fBauth\fR stack with the sufficient control flag. .sp .LP No messages are produced by this module using the PAM conversation function. Some messages are sent to syslog for error conditions as as well as messages at \fBLOG_INFO\fR for ticket validity checking .sp .LP The following options can be passed to the module: .sp .ne 2 .mk .na \fB\fBdebug\fR\fR .ad .RS 15n .rt Debugging information is sent to \fBsyslog\fR \fBLOG_AUTH|LOG_DEBUG\fR. .RE .sp .ne 2 .mk .na \fB\fIsudo-compat\fR\fR .ad .RS 15n .rt Location of the per user (per \fBtty\fR) tickets, matches the \fBsudo\fR location. When this option is set \fBPAM_USER\fR must be root other wise the module returns \fBPAM_IGNORE\fR and tickets are not read or created. .RE .sp .ne 2 .mk .na \fB\fItimeout\fR\fR .ad .RS 15n .rt Validity time in minutes for a ticket. The default is 5 minutes. .RE .SH EXAMPLES .LP \fBExample 1 \fRUsing the Default Settings .sp .LP The following is an excerpt of a sample \fBpam.conf\fR configuration file that has per \fBtty\fR tickets with the default time out (\fB5\fR minutes) for users authenticating with \fBsu\fR(1M): .sp .in +2 .nf su auth required pam_unix_cred.so.1 su auth sufficient pam_tty_tickets.so.1 su auth requisite pam_authtok_get.so.1 su auth required pam_dhkeys.so.1 su auth required pam_unix_auth.so.1 .fi .in -2 .sp .LP \fBExample 2 \fRChanging the Default Settings .sp .LP The following example changes the defaults so that tickets are valid for 10 minutes and uses the \fBsudo\fR location: .sp .in +2 .nf su auth required pam_unix_cred.so.1 su auth sufficient pam_tty_tickets.so.1 sudo-compat timeout=10 su auth requisite pam_authtok_get.so.1 su auth required pam_dhkeys.so.1 su auth required pam_unix_auth.so.1 .fi .in -2 .sp .SH ERRORS .sp .ne 2 .mk .na \fB\fBPAM_SUCCESS\fR\fR .ad .RS 15n .rt Ticket is valid .RE .sp .ne 2 .mk .na \fB\fBPAM_IGNORE\fR\fR .ad .RS 15n .rt All other cases .RE .SH FILES .sp .ne 2 .mk .na \fB\fB/system/volatile/tty_tickets///\fR\fR .ad .sp .6 .RS 4n Default ticket location. .RE .sp .ne 2 .mk .na \fB\fB/system/volatile/sudo//\fR\fR .ad .sp .6 .RS 4n When used \fBsudo-compat\fR is set this file has the same format as those created by \fBsudo\fR. .RE .SH ATTRIBUTES .sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp .sp .TS tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) . ATTRIBUTE TYPEATTRIBUTE VALUE _ Interface StabilitySee below. .TE .sp .LP The \fBsyslog\fR messages are Volatile. The module name, module options, and ticket locations are Committed. .SH SEE ALSO .sp .LP \fBsu\fR(1M), \fBsudo\fR(1M), \fBpam\fR(3PAM), \fBpam_sm_authenticate\fR(3PAM), \fBpam_sm_setcred\fR(3PAM), \fBattributes\fR(5)